{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1354", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-01-22T18:31:58.496Z", "datePublished": "2026-04-21T21:43:53.276Z", "dateUpdated": "2026-04-21T21:43:53.276Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-04-21T21:43:53.276Z"}, "title": "Zero Motorcycles Firmware Key Exchange without Entity Authentication", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-322", "description": "CWE-322", "type": "CWE"}]}], "affected": [{"vendor": "Zero Motorcycles", "product": "Zero Motorcycles firmware", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "44", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Zero Motorcycles firmware versions 44 and prior enable an attacker to \nforcibly pair a device with the motorcycle via Bluetooth. Once paired, \nan attacker can utilize over-the-air firmware updating functionality to \npotentially upload malicious firmware to the motorcycle. The motorcycle \nmust first be in Bluetooth pairing mode, and the attacker must be in \nproximity of the vehicle and understand the full pairing process, to be \nable to pair their device with the vehicle. The attacker's device must \nremain paired with and in proximity of the motorcycle for the entire \nduration of the firmware update.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Zero Motorcycles firmware versions 44 and prior enable an attacker to \nforcibly pair a device with the motorcycle via Bluetooth. Once paired, \nan attacker can utilize over-the-air firmware updating functionality to \npotentially upload malicious firmware to the motorcycle. The motorcycle \nmust first be in Bluetooth pairing mode, and the attacker must be in \nproximity of the vehicle and understand the full pairing process, to be \nable to pair their device with the vehicle. The attacker's device must \nremain paired with and in proximity of the motorcycle for the entire \nduration of the firmware update."}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-06"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-06.json"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.4, "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "ADJACENT", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.9, "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "workarounds": [{"lang": "en", "value": "Zero Motorcycles has investigated this report and cautions users to pair\n their mobile device to their vehicle in a safe location where they can \nbe sure no one else will try to pair at the same time. Once initiated, \ncomplete the full pairing process and confirm it is successful. Store \nphysical keys in a secure location and do not leave the bike unattended \nwith the key in the \"ON\" position. Zero Motorcycles plans to address \nthis issue in a firmware update scheduled for release in May 2026. \nUpdate the firmware to the latest available version.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Zero Motorcycles has investigated this report and cautions users to pair\n their mobile device to their vehicle in a safe location where they can \nbe sure no one else will try to pair at the same time. Once initiated, \ncomplete the full pairing process and confirm it is successful. Store \nphysical keys in a secure location and do not leave the bike unattended \nwith the key in the \"ON\" position. Zero Motorcycles plans to address \nthis issue in a firmware update scheduled for release in May 2026. \nUpdate the firmware to the latest available version."}]}], "credits": [{"lang": "en", "value": "Persephone Karnstein of Bureau Veritas Cybersecurity North America reported this vulnerability to CISA.", "type": "finder"}], "source": {"advisory": "ICSA-26-111-06", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Zero Motorcycles firmware versions 44 and prior enable an attacker to \nforcibly pair a device with the motorcycle via Bluetooth. Once paired, \nan attacker can utilize over-the-air firmware updating functionality to \npotentially upload malicious firmware to the motorcycle. The motorcycle \nmust first be in Bluetooth pairing mode, and the attacker must be in \nproximity of the vehicle and understand the full pairing process, to be \nable to pair their device with the vehicle. The attacker's device must \nremain paired with and in proximity of the motorcycle for the entire \nduration of the firmware update."}], "id": "CVE-2026-1354", "lastModified": "2026-04-21T22:16:18.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-04-21T22:16:18.643", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-06.json"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-06"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-322"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T04:33:09.425345+00:00", "value": {"mitigation_remediation": ["Apply the vendor-supplied firmware update as soon as it is released", "When pairing, do so in a secure, private location to ensure no other device can interfere", "Store the physical key in a secure place and avoid leaving the motorcycle in the ON position with the key when unattended"], "summary": {"action": "Update Firmware", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Zero Motorcycles' firmware, versions 44 and prior, are affected. The vulnerability exists in the Bluetooth pairing and OTA update mechanisms of these firmware builds.", "description_and_impact": "Zero Motorcycles firmware versions 44 and earlier allow an attacker to force a Bluetooth pairing with the motorcycle without proper entity authentication. Once paired, the attacker can use the over\u2011the\u2011air firmware update feature to install malicious firmware, effectively gaining the ability to run arbitrary code on the bike. This flaw is a form of improper authentication and is catalogued as CWE\u2011322.", "risk_and_exploitability": "The CVSS score of 5.9 indicates moderate severity, and there is no EPSS data available. The defect is not listed in the CISA KEV catalog, but it requires physical proximity and the motorcycle to be in pairing mode, limiting the likelihood of exploitation to organized or opportunistic attackers. The impact is potentially significant, granting attackers remote code execution through malicious firmware, but the surface is constrained by the need for close-range, manual pairing."}}}}, "created": "2026-04-22T02:15:05.405432+00:00", "updated": "2026-04-22T04:45:09.344949+00:00", "vendors": []}